the things we trust to github

One of the issues of using public GitHub is that, well, it’s public. Even with the layers of security, it’s all your information ‘out there’. Somewhere.

However, it is a fact of life that we all use GitHub and many large and small companies choose the hosted GitHub option over hosting an in-house, expensive GitHub Enterprise environment. The problem is that developers and operations folks sometimes push things into GitHub without thinking. How about those keys or passwords you’re meant to use Ansible Vault or StackExchange blackbox for but didn’t?

With this in mind someone on the internet wrote gitrob to try and provide some kind of insight into what you may or may not be storing in your vast, sprawling, micro-services hell of repos. It’s pretty neat and all but we’re a docker house for better or worse and we wanted it packaged neatly for us. To that end we created a docker image for gitrob and how we use it at TES Global.

In essence, using docker, you can run a container as the main backend service while running a scan container on a cron job to keep the information updated. This works well for us, but your milage will vary. You will need Postgres and a GitHub OAuth token in order to get this to work. See the README.md here for more information.

By the way, all we did was dockerize this – much kudos to Michael Henriksen for gitrob!